- apache with mod_jk.so
- postgres 7.1.x
- ant (a java-based make)
+- jaxp-1.1 (a SAX 2.0 compliant XML parser, comes with ant >= 1.4)
+- the JAI image framework (Java Advanced Imaging). get it from
+ java.sun.com
+1. checkout the cvs
+
+CVS LOGIN:
+
+ cvs -d :pserver: cvsanon@brazil.indymedia.de:/var/cvs login
+ password: cvs
+
+CVS CHECKOUT:
+
+ cvs -d :pserver: cvsanon@brazil.indymedia.de:/var/cvs co mir
-1. checkout the cvs:
-cvs -d :pserver: cvsanon@brazil.indymedia.de:/var/cvs login
-password: cvs
-cvs -d :pserver: cvsanon@brazil.indymedia.de:/var/cvs lco mir
2. customize the config:
-cd mir/source
-cp config.properties-dist to config.properties
-edit config.properties
-3. configure the build.sh file with java_home
+ cd mir/source
+ cp config.properties-dist config.properties
+
+now customize config.properties for your needs.
+
+
+3. configure the build.xml file if neccessary
+ cd ..
+ cp build.xml-new build.xml
+
+
+4. configure the perms.sh file if neccessary -- IMPORTANT! READ THIS!
+We provide a script that sets all files' and direcories' permissions to
+a quite reasonable state. This script gets automagically called by
+ant after compilationl. The most important thing you have to do after
+compiling Mir is to ensure that the log files -- especially
+dbentity.log -- are not readable by users that could compromise
+system security, because all passwords and the like will be logged here.
+
+ cp perms.sh-dist perms.sh
+
+Now, change the install directory and group in perms.sh
+
+ edit perms.sh
+
+
+5. copy the mir/templates-dist-directory to mir/templates
+
+
+6. compile
+Do this as root so the permissions script is able to set
+the permissions and owners correctly.
+
+ ant
+
+
+7. Link in the webapps directory of tomcat to the install directory (the
+directory is called "Mir" and is located in the same directory in which
+you installed the "mir" directory).
+ cd /usr/share/tomcat/webapps
+ ln -s Mir-install-dir Mir
+
+8. Modify your tomcat startup script and add an LD_LIBRARY_PATH variable
+that points to the WEB-INF/lib directory of your Mir install dir. (called
+"Mir"). Add something like the following at the top of tomcat.sh (tomcat.sh
+is found in the "bin/" dir. under $TOMCAT_HOME):
+ LD_LIBRARY_PATH=/path/to/Mir-install-dir/WEB-INF/lib
+
+An alternaive way to avoid this is to copy any dynamic library files
+ending with ".so" in WEB-INF/lib to your jre/jdk lib directory (where the
+other ".so" files live). Or, you can skip the whole thing and live without
+"native" acceleration for image manipulation
+
+
+9a. create a new database
+The database name should be the same as in config.properties. Please look at
+the section "Database.*" to look up the names or change them to your needs.
+
+It is wise in terms of system seurity to use an unprivileged user for this
+task instead of the superuser. This is because if Mir uses the superuser to
+connect to the database and anybody manages to find out the password Mir
+uses to connect, the attacker can take over the complete database. So, in
+the following examples, we assume that the database name is "Mir", the
+database user will be "mir" and the password is "joshua". Please note that
+this particular password is far from being a good one. Watch "Wargames" for
+details. =B)
+
+To access the database as the database superuser, you either have to log in
+as postgres on Unix level (which we don't recommend because you will need
+another user to have a login shell and a password which makes system
+penetration more likely) or you have to tell PostgreSQL with each
+application call that you want to connect as a specific user. If you access
+the database from any other user's account, use the -U flag to connect to
+PostgreSQL as the database superuser ("postgres"):
+
+ createdb -U postgres Mir
+
+Please note that if you create the database from inside the psql application,
+the database name will likely be converted to lowercase letters.
+
+
+9b. create an unprivileged database user for Mir
+First, connect to the database as the database's superuser.
+
+ psql -U postgres Mir
+
+Now we create the actual user. Please choose a password that is hard to
+guess instead of "joshua". Good passwords have characters and numerals in
+it, have no link to its owner (like being her birthday, age, name of her
+husband, dog, child, car, favourite beer brand). A good password looks like
+this: "8ncx4un".
+
+ CREATE USER Mir WITH PASSWORD 'joshua' NOCREATEDB NOCREATEUSER;
+
+
+9c. create base table
+Please note that we use the superuser "postgres" to connect to the "Mir"
+database, /not/ the user "mir".
+
+ psql -Upostgres -f dbscripts/create_pg.sql Mir
+ for i in dbscripts/help*.sql ; do psql -Upostgres -f $i Mir ; done
+ for i in dbscripts/populate*.sql ; do psql -Upostgres -f $i Mir ; done
+
+
+9d. Apply neccessary changes to config.properties
+
+Please open config.properties and look for the lines that begin with
+"Database.". The interesting properties are "Username", "Password", "Host"
+and "Name". Change these properties so that they reflect the settings you
+used to create the database and the user.
+
+You should make sure that no copy of config.properties (neither in mir nor
+in Mir/src nor in Mir/WEB-INF/classes nor in the directory tree you compiled
+Mir from) is world-readable. Else you wouldn't have to install a password,
+anyway.
+
+
+9e. Setup PostgreSQL so that all connections have to pass a password
+
+In /etc/postgresql/pg_hba.conf you should make sure that nobody can
+use the database without a password:
+
+local all password
+host all 127.0.0.1 255.0.0.0 password
+host all 0.0.0.0 0.0.0.0 reject
+
+This means: All local connections (i.e. psql without "-h hostname" option)
+have to authenticate themselves with a password. All connections from
+localhost (127.0.0.1) have to supply a password, too. All other connections
+are rejected. This line doen't have to be there if you have a properly
+configured firewall but even if you do have one, it adds to the security in
+case an attacker penetrates the firewall by some hack.
+
+If you can't access PostgreSQL after this for any reason, try and change
+"password" in /etc/postgresql/pg_hba.conf to "trust". This should disable
+any authentication method and make the database accessible again. Please use
+this setting only temporarily because anybody who can access the PostgreSQL
+server could take over the database completely this way. After you fixed
+your password setting, switch the setting back to "password".
+You may want to change your PostgreSQL password from time to time to make
+database takeover harder. Rememer: Security is a process.
+
+
+
+10. Add the dupe prevention trigger to the database:
+ cd dbscripts/dupetrigger
+
+ There, read INSTALL and follow the instructions.
+
+
+11. restart tomcat
+
+12. configure mod_jk
+
+insert the following patch into /etc/apache/httpd.conf. Edit the directories
+to suit your needs.
+
+<IfModule mod_jk.c>
+JkWorkersFile /usr/share/tomcat/conf/workers.properties
+Include /usr/share/tomcat/conf/mod_jk.conf-auto
+</IfModule>
+
+Do not put any JkMount lines into your httpd.conf!
+
+If mod_jk.conf-auto doesn't get written or is 0 bytes in size, check your
+system for file ownership/permissions problems.
+
+
+13. configure apache
+
+edit http.conf:
+* set the document root to the same directory as in the mir config file
+* enable shtml includes:
+ - add LoadModule includes_module /usr/lib/apache/1.3/mod_include.so
+ - make sure your directory contains "Options Includes"
+
+
+that's it :)
-4. Link in the webapps directory of tomcat to the install directory (the directory is called Mir).
+now the admin-application is accesable via:
-5. copy the mir/template-dist-directory to mir/template
+ http://host/Mir
-6. run sh buil.sh
+and the openposting-servlet via
+
+ http://host/OpenMir
-7. create a new database (the dbname should be the same as in config.properties)
-as user postgres: createdb dbname
+standard login is redaktion/indymedia
-8. run psql dump of create_pg.sql:
-psql -Upostgres dbname < create_pg.sql
-8. run psql dump of help*.sql files.
-9. chmod 777 Mir/log
+TROUBLESHOOTING
-10. restart tomcat
+You can give these a try if anything goes wrong:
-11. configure mod_jk
++ Restart Tomcat. Especially after compiling the sources Tomcat has to be
+ restarted.
-12. now the admin-application is accesable by: http://host/Mir and the openposting-servlet by http://host/OpenMir>
++ Check file permissions and ownership. Try and run perms.sh.